feat(handler): add support for PE files with extraction of NSIS executable

Add support for PE file by relying on LIEF to parse PE file once matched
on 'MZ' or 'PE' signature.

If the file is a self-extractable NSIS executable
("Nullsoft.NSIS.exehead" present in manifest) we extract it with 7zip.

Co-authored-by: Quentin Kaiser <quentin.kaiser@onekey.com>

Author: jcrussell

python/unblob/handlers/__init__.py

@@ -37,7 +37,10 @@
     zlib,
     zstd,
 )
-from .executable import elf
+from .executable import (
+    elf,
+    pe
+)
 from .filesystem import (
     cramfs,
     extfs,
@@ -115,6 +118,7 @@
     zstd.ZSTDHandler,
     elf.ELF32Handler,
     elf.ELF64Handler,
+    pe.PEHandler,
     zlib.ZlibHandler,
     engenius.EngeniusHandler,
     ecc.AutelECCHandler,

python/unblob/handlers/executable/pe.py

@@ -0,0 +1,104 @@
+import io
+from pathlib import Path
+from typing import Optional
+
+import lief
+from structlog import get_logger
+
+from unblob.extractors.command import Command
+
+from ...models import (
+    Extractor,
+    ExtractResult,
+    File,
+    Handler,
+    HandlerDoc,
+    HandlerType,
+    HexString,
+    Reference,
+    ValidChunk,
+)
+
+lief.logging.disable()
+
+logger = get_logger()
+
+
+class PEExtractor(Extractor):
+    def extract(self, inpath: Path, outdir: Path) -> Optional[ExtractResult]:
+        binary = lief.PE.parse(inpath)
+        if binary and self.is_nsis(binary):
+            return Command("7z", "x", "-y", "{inpath}", "-o{outdir}").extract(
+                inpath, outdir
+            )
+        return None
+
+    def is_nsis(self, binary: lief.PE.Binary) -> bool:
+        # Test if binary appears to be a Nullsoft Installer self-extracting archive
+        # see https://github.com/file/file/blob/7ed3febfcd616804a2ec6495b3e5f9ccb6fc5f8f/magic/Magdir/msdos#L383
+
+        if binary.has_resources:
+            resource_manager = binary.resources_manager
+            if (
+                isinstance(resource_manager, lief.PE.ResourcesManager)
+                and resource_manager.has_manifest
+            ):
+                manifest = (
+                    resource_manager.manifest
+                    if isinstance(resource_manager.manifest, str)
+                    else resource_manager.manifest.decode(errors="ignore")
+                )
+                if "Nullsoft.NSIS.exehead" in manifest:
+                    return True
+        return False
+
+
+class PEHandler(Handler):
+    NAME = "pe"
+
+    PATTERNS = [
+        HexString(
+            """
+            // MZ header
+            4d 5a
+            """
+        ),
+        HexString(
+            """
+            // PE header
+            50 45 00 00
+            """
+        ),
+    ]
+
+    EXTRACTOR = PEExtractor()
+
+    DOC = HandlerDoc(
+        name="pe",
+        description="The PE (Portable Executable) is a binary file format used for executable code on 32-bit and 64-bit Windows operating systems as well as in UEFI environments.",
+        handler_type=HandlerType.EXECUTABLE,
+        vendor="Microsoft",
+        references=[
+            Reference(
+                title="PE Format",
+                url="https://learn.microsoft.com/en-us/windows/win32/debug/pe-format",
+            ),
+            Reference(
+                title="Portable Executable Wikipedia",
+                url="https://en.wikipedia.org/wiki/Portable_Executable",
+            ),
+        ],
+        limitations=[],
+    )
+
+    def calculate_chunk(self, file: File, start_offset: int) -> Optional[ValidChunk]:
+        file.seek(start_offset, io.SEEK_SET)
+
+        binary = lief.PE.parse(file[start_offset:])
+        if not binary:
+            return None
+
+        return ValidChunk(
+            start_offset=start_offset,
+            end_offset=start_offset + binary.original_size,
+        )

tests/integration/executable/pe/__input__/nsis-3.11-setup.exe

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:38d49f8fe09b1c332b01d0940e57b7258f4447733643273a01c59959ad9d3b0a
+size 1564991

tests/integration/executable/pe/__input__/nsis-3.11-setup.exe.padded

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3a2b771cbf044fadb9c584575f66037d3126a75c6a20faa5e53d5dad56bb0443
+size 1565023

tests/integration/executable/pe/__input__/zip2exe.exe

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:407be964e953ca6fe0380f56f1df3d72f7789cb210506ca27cc428cb654ec609
+size 23040

tests/integration/executable/pe/__input__/zip2exe.exe.padded

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c9d34d054b23078eb6b86b82d3dc152f7f9df983fa1654f8dd49320bc166129e
+size 23072

tests/integration/executable/pe/__output__/nsis-3.11-setup.exe.padded_extract/0-16.padding

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
+size 16

tests/integration/executable/pe/__output__/nsis-3.11-setup.exe.padded_extract/16-1565023.pe

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3474e0a8b672e53f9667c72322788e459c40f9d0632705f790fa329e539edeac
+size 1565007

tests/integration/executable/pe/__output__/nsis-3.11-setup.exe.padded_extract/16-1565023.pe_extract/$PLUGINSDIR/System.dll

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
+size 12288

tests/integration/executable/pe/__output__/nsis-3.11-setup.exe.padded_extract/16-1565023.pe_extract/$PLUGINSDIR/modern-header.bmp

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0f3b85a4a7bd2c6baa7b2b24590ea69e656384130fa8212e944016c46ac7e7d1
+size 25820